The 2013 two-step-verification bypass: a duplicate email defeated Dropbox 2FA
July 2013
Q-CERT researchers found that because Dropbox did not verify email addresses at signup, an attacker who already had a victim's password could register a near-duplicate email, enable 2FA on it, and use the resulting emergency code to switch off the real account's two-step verification.
What happened
In July 2013 a team from Qatar's Q-CERT documented a way to bypass Dropbox's two-step verification. The flaw rested on the fact that Dropbox did not require email-address verification when creating an account. An attacker who already knew the target's password could register a second account using an address that the login system treated as equivalent to the victim's — for example by inserting dots into a Hotmail/Gmail-style address.
By enabling two-step verification on that fake account, the attacker obtained an emergency backup code. That code could then be used against the genuine account to disable its two-step verification, removing the second factor and letting the attacker log in with the password alone. The technique required prior knowledge of the password, but it undercut the very protection users enabled to defend against password compromise.
Impact
The bypass showed that 2FA is only as strong as the account-recovery and identity-verification plumbing around it — a weakness in email handling hollowed out the second factor. It contributed to the broader 2013 narrative (alongside the USENIX client research) that Dropbox's authentication had exploitable seams, and prompted Dropbox to tighten email verification and recovery-code handling.